Trading security for convenience in 2023
24/2/23, 12:30 pm
National Portfolio Manager Security at NEC Australia, Connell Perera, discusses balancing employee needs and productivity with effectively securing your environment
Over the last two years the Australian corporate landscape experienced a seismic shift to remote and hybrid workforces. Australian organisations scrambled to set up staff with remote access and in a productivity panic, focused firmly on availability. In essence that left the other parts of the cyber security triad – confidentiality and integrity – as lesser priorities.
Employees demanded access to more and more cloud-based applications from anywhere on any device. Providing greater convenience led to an increasingly complex and larger attack surface for organisations; exploited more and more by sophisticated threat actors.
On one hand, employees want to be able to access their work systems and data quickly and easily, without being burdened by excessive security protocols. On the other hand, organisations must ensure their systems and data are protected from cyber threats and unauthorised access. They can’t spend their way out of a cyber crisis or force an end to remote work.
The pressure is on internal cyber security teams to keep everyone connected, productive and secure while their entire risk profile shifts.
Re-thinking your acceptable level of risk
It's not a binary choice between managing your acceptable levels of security risk and your employee’s productivity, and the growth of cloud-based applications extends these parameters further.
According to Gartner, only 66% of CISOs identified as top performers collaborate with senior business decision-makers to define their organisation’s risk appetite.
Understanding risk and identifying the amount of risk your business is comfortable accepting should inform your cyber security strategy. Your organisation should focus on identifying which risks you want to avoid, which risks you want to transfer and which risks you want to mitigate.
You also need to communicate your cyber risks and emerging threats to your broader business functions.
Describing the types of risks, and in what amounts, your organisation will accept, and embedding the methods and means to quantify and rank these risks with your Board is paramount.
When employee friction threatens security
Employee friction is an example where not understanding your risk can expose network vulnerabilities or spark a productivity crash. If your frustrated workforce uses shadow IT and third-party workarounds to get the job done and aren't sure why it's a problem to use it, this is not an acceptable level of risk.
This is where your cyber security culture comes into play.
Remote workers shouldn’t need to accept inferior usability or security – but they should be aware of their role in security. Is there an effective program of cyber risk education from entry to Board level in your organisation?
Clear boundaries, communicated well, are a critical step to being on the same side as your employees and being united in managing your security risks, including protecting sensitive data and critical systems, meeting compliance requirements, brand, and reputation risk and limiting your liability exposure.
The flipside to not enough security? Overkill.
A mature security posture includes accepting that prevention is important, but not everything. Your systems will be breached!
Organisations that take security too far threaten availability, productivity, and staff retention. Are your leaders championing pragmatic security that doesn’t alienate employees? Is there visible investment in empowering the remote experience and encouraging flexibility?
Recent research on Australian organisations identified the three common mistakes when securing their remote workforce: limiting device choice; sluggish software; and onerous security rules.
Limiting device choice
Employees value a choice of device and operating system, and familiar technology unlocks productivity gains. But in response to the evolving threat landscape, companies offering device choice dropped from 61% to 40% in the past six years.
Access to business applications is often through a mandated VPN that drains battery and impacts connection performance – leading to dropouts, slow speeds and frustrated employees.
Employees are generally willing to cooperate on security until it causes friction or inconvenience. Unfortunately, traditional security rules – like forcing employees to sign into apps every few hours or restricting external platforms – tend to breed resentment rather than buy-in.
Security versus convenience is in constant flux as threats evolve and the attack surface increases. Getting the balance right is critical to capitalising remote work and meeting the challenges of the continued skills shortage.
Maturing your attitude to risk will help with the security and convenience conversation.
Talk to NEC Australia today to help you win the debate.